Merge remote-tracking branch 'upstream/master'

adapters/oidc/adapter-core/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AdapterDeploymentContext.java

@@ -342,6 +342,12 @@ public int getNotBefore() {
             return delegate.getNotBefore();
         }
 
+        @Override
+        public void updateNotBefore(int notBefore) {
+            delegate.setNotBefore(notBefore);
+            getPublicKeyLocator().reset(this);
+        }
+
         @Override
         public void setExposeToken(boolean exposeToken) {
             delegate.setExposeToken(exposeToken);
@@ -446,6 +452,16 @@ public void setMinTimeBetweenJwksRequests(int minTimeBetweenJwksRequests) {
         public int getMinTimeBetweenJwksRequests() {
             return delegate.getMinTimeBetweenJwksRequests();
         }
+
+        @Override
+        public int getPublicKeyCacheTtl() {
+            return delegate.getPublicKeyCacheTtl();
+        }
+
+        @Override
+        public void setPublicKeyCacheTtl(int publicKeyCacheTtl) {
+            delegate.setPublicKeyCacheTtl(publicKeyCacheTtl);
+        }
     }
 
     protected KeycloakUriBuilder getBaseBuilder(HttpFacade facade, String base) {

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpAdapterUtils.java

@@ -46,14 +46,7 @@ public static <T> T sendJsonHttpRequest(KeycloakDeployment deployment, HttpReque
             }
             InputStream is = entity.getContent();
             try {
-                ByteArrayOutputStream os = new ByteArrayOutputStream();
-                int c;
-                while ((c = is.read()) != -1) {
-                    os.write(c);
-                }
-                byte[] bytes = os.toByteArray();
-                String json = new String(bytes);
-                return JsonSerialization.readValue(json, clazz);
+                return JsonSerialization.readValue(is, clazz);
             } finally {
                 try {
                     is.close();

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java

@@ -81,6 +81,7 @@ public class KeycloakDeployment {
     protected volatile int notBefore;
     protected int tokenMinimumTimeToLive;
     protected int minTimeBetweenJwksRequests;
+    protected int publicKeyCacheTtl;
     private PolicyEnforcer policyEnforcer;
 
     public KeycloakDeployment() {
@@ -328,6 +329,11 @@ public void setNotBefore(int notBefore) {
         this.notBefore = notBefore;
     }
 
+    public void updateNotBefore(int notBefore) {
+        this.notBefore = notBefore;
+        getPublicKeyLocator().reset(this);
+    }
+
     public boolean isAlwaysRefreshToken() {
         return alwaysRefreshToken;
     }
@@ -384,6 +390,14 @@ public void setMinTimeBetweenJwksRequests(int minTimeBetweenJwksRequests) {
         this.minTimeBetweenJwksRequests = minTimeBetweenJwksRequests;
     }
 
+    public int getPublicKeyCacheTtl() {
+        return publicKeyCacheTtl;
+    }
+
+    public void setPublicKeyCacheTtl(int publicKeyCacheTtl) {
+        this.publicKeyCacheTtl = publicKeyCacheTtl;
+    }
+
     public void setPolicyEnforcer(PolicyEnforcer policyEnforcer) {
         this.policyEnforcer = policyEnforcer;
     }

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java

@@ -105,6 +105,7 @@ protected KeycloakDeployment internalBuild(AdapterConfig adapterConfig) {
         deployment.setRegisterNodePeriod(adapterConfig.getRegisterNodePeriod());
         deployment.setTokenMinimumTimeToLive(adapterConfig.getTokenMinimumTimeToLive());
         deployment.setMinTimeBetweenJwksRequests(adapterConfig.getMinTimeBetweenJwksRequests());
+        deployment.setPublicKeyCacheTtl(adapterConfig.getPublicKeyCacheTtl());
 
         if (realmKeyPem == null && adapterConfig.isBearerOnly() && adapterConfig.getAuthServerUrl() == null) {
             throw new IllegalArgumentException("For bearer auth, you must set the realm-public-key or auth-server-url");

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java

@@ -357,7 +357,7 @@ protected AuthChallenge resolveCode(String code) {
             return challenge(403, OIDCAuthenticationError.Reason.INVALID_TOKEN, null);
         }
         if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
-            deployment.setNotBefore(tokenResponse.getNotBeforePolicy());
+            deployment.updateNotBefore(tokenResponse.getNotBeforePolicy());
         }
         if (token.getIssuedAt() < deployment.getNotBefore()) {
             log.error("Stale token");

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java

@@ -155,7 +155,7 @@ protected void handleLogout()  {
             } else {
                 log.debugf("logout of all sessions for application '%s'", action.getResource());
                 if (action.getNotBefore() > deployment.getNotBefore()) {
-                    deployment.setNotBefore(action.getNotBefore());
+                    deployment.updateNotBefore(action.getNotBefore());
                 }
                 userSessionManagement.logoutAll();
             }
@@ -177,7 +177,7 @@ protected void handlePushNotBefore()  {
             }
             PushNotBeforeAction action = JsonSerialization.readValue(token.getContent(), PushNotBeforeAction.class);
             if (!validateAction(action)) return;
-            deployment.setNotBefore(action.getNotBefore());
+            deployment.updateNotBefore(action.getNotBefore());
         } catch (Exception e) {
             throw new RuntimeException(e);
         }

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java

@@ -144,7 +144,7 @@ public boolean refreshExpiredToken(boolean checkActive) {
         }
 
         if (response.getNotBeforePolicy() > deployment.getNotBefore()) {
-            deployment.setNotBefore(response.getNotBeforePolicy());
+            deployment.updateNotBefore(response.getNotBeforePolicy());
         }
 
         this.token = token;

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/HardcodedPublicKeyLocator.java

@@ -37,4 +37,9 @@ public HardcodedPublicKeyLocator(PublicKey publicKey) {
     public PublicKey getPublicKey(String kid, KeycloakDeployment deployment) {
         return publicKey;
     }
+
+    @Override
+    public void reset(KeycloakDeployment deployment) {
+
+    }
 }

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java

@@ -25,7 +25,6 @@
 import org.keycloak.common.util.Time;
 import org.keycloak.jose.jwk.JSONWebKeySet;
 import org.keycloak.jose.jwk.JWK;
-import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.util.JWKSUtils;
 
 import java.security.PublicKey;
@@ -48,30 +47,43 @@ public class JWKPublicKeyLocator implements PublicKeyLocator {
     @Override
     public PublicKey getPublicKey(String kid, KeycloakDeployment deployment) {
         int minTimeBetweenRequests = deployment.getMinTimeBetweenJwksRequests();
+        int publicKeyCacheTtl = deployment.getPublicKeyCacheTtl();
+        int currentTime = Time.currentTime();
 
         // Check if key is in cache.
-        PublicKey publicKey = currentKeys.get(kid);
+        PublicKey publicKey = lookupCachedKey(publicKeyCacheTtl, currentTime, kid);
         if (publicKey != null) {
             return publicKey;
         }
 
-        int currentTime = Time.currentTime();
-
         // Check if we are allowed to send request
-        if (currentTime > lastRequestTime + minTimeBetweenRequests) {
-            synchronized (this) {
-                currentTime = Time.currentTime();
-                if (currentTime > lastRequestTime + minTimeBetweenRequests) {
-                    sendRequest(deployment);
-                    lastRequestTime = currentTime;
-                } else {
-                    log.debugf("Won't send request to realm jwks url. Last request time was %d", lastRequestTime);
-                }
+        synchronized (this) {
+            currentTime = Time.currentTime();
+            if (currentTime > lastRequestTime + minTimeBetweenRequests) {
+                sendRequest(deployment);
+                lastRequestTime = currentTime;
+            } else {
+                log.debugf("Won't send request to realm jwks url. Last request time was %d", lastRequestTime);
             }
+
+            return lookupCachedKey(publicKeyCacheTtl, currentTime, kid);
         }
+    }
 
-        return currentKeys.get(kid);
 
+    @Override
+    public void reset(KeycloakDeployment deployment) {
+        sendRequest(deployment);
+        lastRequestTime = Time.currentTime();
+    }
+
+
+    private PublicKey lookupCachedKey(int publicKeyCacheTtl, int currentTime, String kid) {
+        if (lastRequestTime + publicKeyCacheTtl > currentTime) {
+            return currentKeys.get(kid);
+        } else {
+            return null;
+        }
     }
 
 

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/PublicKeyLocator.java

@@ -34,4 +34,11 @@ public interface PublicKeyLocator {
      */
     PublicKey getPublicKey(String kid, KeycloakDeployment deployment);
 
+    /**
+     * Reset the state of locator (eg. clear the cached keys)
+     *
+     * @param deployment
+     */
+    void reset(KeycloakDeployment deployment);
+
 }

adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java

@@ -69,6 +69,7 @@ public void load() throws Exception {
         assertEquals("email", deployment.getPrincipalAttribute());
         assertEquals(10, deployment.getTokenMinimumTimeToLive());
         assertEquals(20, deployment.getMinTimeBetweenJwksRequests());
+        assertEquals(120, deployment.getPublicKeyCacheTtl());
     }
 
     @Test
@@ -78,6 +79,7 @@ public void loadNoClientCredentials() throws Exception {
 
         assertTrue(deployment.getPublicKeyLocator() instanceof JWKPublicKeyLocator);
         assertEquals(10, deployment.getMinTimeBetweenJwksRequests());
+        assertEquals(86400, deployment.getPublicKeyCacheTtl());
     }
 
     @Test

adapters/oidc/adapter-core/src/test/resources/keycloak.json

@@ -30,5 +30,6 @@
     "token-store": "cookie",
     "principal-attribute": "email",
     "token-minimum-time-to-live": 10,
-    "min-time-between-jwks-requests": 20
+    "min-time-between-jwks-requests": 20,
+    "public-key-cache-ttl": 120
 }

adapters/oidc/as7-eap6/as7-adapter-spi/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-as7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/as7-eap6/as7-adapter/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-as7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/as7-eap6/as7-subsystem/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>org.keycloak</groupId>
         <artifactId>keycloak-as7-integration-pom</artifactId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

adapters/oidc/as7-eap6/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak AS7 / JBoss EAP 6 Integration</name>

adapters/oidc/installed/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jaxrs-oauth-client/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty-core/pom.xml

@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty8.1/pom.xml

@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty9.1/pom.xml

@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty9.2/pom.xml

@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty9.3/pom.xml

@@ -21,7 +21,7 @@
     <parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
 		<relativePath>../../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>2.4.1.Final-SNAPSHOT</version>
+        <version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak Jetty Integration</name>

adapters/oidc/js/pom.xml

@@ -21,7 +21,7 @@
 	<parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-		<version>2.4.1.Final-SNAPSHOT</version>
+		<version>2.5.0.Final-SNAPSHOT</version>
         <relativePath>../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>

adapters/oidc/js/src/main/resources/keycloak.js

@@ -846,14 +846,15 @@
                     kc.clearToken();
                 }
 
-                for (var i = loginIframe.callbackList.length - 1; i >= 0; --i) {
-                    var promise = loginIframe.callbackList[i];
+                var callbacks = loginIframe.callbackList.splice(0, loginIframe.callbackList.length);
+
+                for (var i = callbacks.length - 1; i >= 0; --i) {
+                    var promise = callbacks[i];
                     if (event.data == "unchanged") {
                         promise.setSuccess();
                     } else {
                         promise.setError();
                     }
-                    loginIframe.callbackList.splice(i, 1);
                 }
             };